tags:

views:

178

answers:

9
+4  Q: 

Logging authentication attempts including passwords

I'm writing a comprehensive authentication system for an application and I was planning on logging failed authentication attempts in order to implement better security. I would like to check failed passwords for both brute force and dictionary attacks, however the only method I could think of doing this is by storing the raw password.

I have mixed feelings about doing this. Although I know that the failed login attempts will be cleared every so often I don't like the idea of raw passwords being stored in a database. I know I mistype passwords very often which are very similar to my real password, or worse yet I'll type a wrong password for a particular login that is actually an active password for another website I belong to.

It would however be impossible to implement advanced security without storing some raw passwords, so I'm trying to think about the best way to do it.

Here are some possible solutions I have thought of:

  • Don't store more then 24 hours of login attempts. This isn't really a solution, more of simply limiting the damage if the passwords are compromised.
  • Clear a users failed attempts if they are successfully authenticated.

Anyone have any input on this? Is this a good/bad idea? Should I use two-way encryption?

+10  A: 

there's a big difference between a user making mistakes and a brute force / dictionary attack: the volume of requests. Don't store failed attempts - you're quite right that the plaintext password should be handled minimally - just look at the pattern of attempts. That should be enough data.

anything else, and your 'advanced security' starts looking like 'advanced attack vector possibilities'.

Peter  2009-11-18 21:02:40
I was planning on throttling the login attempts as well as doing this, however after reading the response I've decided I'm simply being overly paranoid. Thank you to everyone for responding, much appreciated.
evolve  2009-11-18 21:18:51
+2  A: 

Logging raw passwords seems like a really bad idea, as you pointed out yourself.

Could you just log the username, and the times of failed logins, without actually logging the passwords? It would be fairly obvious if there was a bruteforce attack if there were hundreds of log-in attempts within a short space of time. You can also log the IP address.

Mark Byers  2009-11-18 21:05:18
I am already planning on limiting the number of login attempts per hour to a number say 15 (yet to be determined).I suppose I'm just being overly paranoid.
evolve  2009-11-18 21:07:01
I don't know if you are being overly paranoid. A dictionary attack may succeed eventually if your some of your users have weak passwords and don't change them for a long time. The attack could go unnoticed for several months, quietly churning through its dictionary. Logging as much as you can is still a good idea, just not the raw passwords, and if you spot some suspicious activity you can ban the IP address before it has broken any passwords.
Mark Byers  2009-11-18 21:15:13
A: 

Depending on the authentication protocol you select, e.g., in the case of Kerberos, you may not even have access to the password entered.

fatcat1111  2009-11-18 21:11:25
+1  A: 

I'm not sure what you mean when you mention storing raw passwords- presumably you only want to store the failed password attempts in plain text to analyze for patterns (dictionary attacks) and volume (brute force).

In my limited experience, you would take the user's inputted password, hash it (with a salt, the same salt used to hash the stored password) and compare with the stored hashed value. If the validation fails (the hashed values are not equal), log the plain text version of the password used for the attempt.

I would advise also implementing locking out of an account after a certain number of failed attempts and possibly having an exponential timeout window for when a login attempt can be tried again. If a user enters a password incorrectly to begin, but then enters a password correctly, you might consider deleting the password captured for the failed login for this particular session.

Russ Cam  2009-11-18 21:11:41
+4  A: 

This seems like over-engineering. I would just keep track of failed login attempts & after $x amount of failed login attempts, you then block the IP from attempting another login for 1-24hrs or so.

If you're concerned someone is targeting a specific account you can note the number of failed attempts on a specific username & then take appropriate measures, such as limiting failed logins on that username to 2 or 3 per 24hr period on any ip address.

I can think of ways you could try to detect dictionary/brute attacks via comparison, but you're going to have to collect user input and compare it to previous attempts, this could be a security problem if you're storing slightly misspelled legitimate passwords in a database. Plus this is going to take up quite a bit of CPU power to churn through for every login.

The goal should be to make it intensively slow for brute-force attackers, but not annoying or compromising for legitimate users.

Though now that I am thinking on this a bit more, the prevention method could also be a way of denial-of-service by locking users out of being able to login, so take my suggestion with that in mind.

Klinky  2009-11-18 21:12:06
A: 

Have you thought of a set amount of login's then a timed block? If login fails 3x/5x/10x if you want, then lock the account completely for a specified period of time.

By doing this you make it so painstaking for a brute-forcer to use, that they probably just won't bother trying. Logging every failed attempt, and more so even the thought of plain text passwords is a bad idea. Rather use the following analogy:

"If I make my house so difficult to get into, they'll try the neighbours first."

Make life difficult for the brute forcers and they won't bother.

Another option is after a set amount of failed logins, add a captcha. This again, if the captcha is good, hinders their progress dramatically.

HTH,

Kyle

Kyle Rozendo  2009-11-18 21:12:52
A: 

As others have said, Logging passwords is a bad idea.

A much better idea is to throttle login attempts.

If done properly, throttling can greatly decrease the risk of password attacks as well as limiting denial of service attacks.

chills42  2009-11-18 21:14:58
A: 

You could store hashes of failed passwords, if you really want to retain any information about them. It wouldn't allow you tomanually analyze patterns but would allow comparing failed attempts with each other.

That said, I do not think analyzing passwords would yield any useful information.

Robert Obryk  2009-11-18 21:18:33
A: 

As others have pointed out, it's a very bad idea to store plaintext passwords and throttling/limiting login attempts is the right way to go.

If you are concerned about the security of passwords, then you should implement password policies when passwords are created, not at the time of authentication. You can then check in memory for dictionary words and have typical policies such as minimum length, must contain a number, a capital letter, etc.

Of course, password policies can be annoying to users, but they can, theoretically, ameliorate your concerns about weak passwords.

The ugly truth is that passwords are a poor way to prove identity, but the alternatives are more expensive and cumbersome.

David G  2009-11-18 22:01:16

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security